1. Field of the Invention
The invention relates to a debiting device, which is arranged in a vehicle and used to deduct such tolls as are payable for the utilization of those road sections that are chargeable within a road network.
2. Description of the Related Art
EP 0 691 013 B1 to which U.S. Pat. No. 5,721,678 corresponds, whose contents are incorporated by reference in the present application, describes a utilization charging system, in which the tolls that are payable in respect of road utilization by a vehicle are deducted anonymously within the vehicle itself. A debiting device is installed in the vehicle for this purpose, and debits the charge from a storage module, which contains credits in the same way as a telephone card, for example. The storage module is designed as a chip card, for example, and can be loaded with further credits, as required, in a suitable automatic machine by paying an appropriate sum of money. In order to calculate the amounts to be debited each time the vehicle uses a chargeable road section, the debiting device has access to both tariff data and geographical data relating to the chargeable road network. The device is also equipped with a receiver (GPS receiver) for receiving signals from a navigation satellite system, so that it can accurately determine the sections covered by the vehicle on chargeable roads, and therefore calculate the exact tolls that are payable. 
Acceptance of such a toll charging system is dependent on a guarantee of maximum security against tampering. EP 0 701 722 B1 to which WO 94/28510 designating the U.S. corresponds, whose contents are incorporated by reference in the present application, proposes for this purpose a debiting device that, in addition to including a GPS receiver, a computer device to identify the chargeable road sections used by the vehicle in each case, and a storage module to record the tolls (chip card), also has equipment to perform self-monitoring in respect of unauthorized tampering with individual device components. The device also has an error memory to record diagnostic data in the event of unauthorized tampering, and a signaling device that transmits a signal to indicate whether the device is functioning correctly. As soon as the device""s self-monitoring facility detects unauthorized tampering, the remaining device functions are automatically and immediately locked, so that the device becomes unusable from that moment.
Despite the inclusion of these security mechanisms, there is a requirement for additional or alternative security mechanisms, and particularly less expensive mechanisms, to protect against the unauthorized use of such a debiting device. It is also particularly important to protect users of the chargeable road network against unauthorized use of the credits purchased by them to use the road network. It would be relatively easy for a simple memory card to fall into the hands of an unauthorized user and exploited at the expense of the legitimate owner.
The article entitled xe2x80x9cGebxc3xchren erfassen aus lxc3xcftiger Hxc3x6hexe2x80x9d [GPS-based charge recording] in the publication entitled Design and Elektronik (November 1996) specifies that only the general functions of a toll device can be derived from GPS facilities. There is no reference to the implementation of a mobile toll device. With regard to protection against tampering, the only reference is to detection of an invalid vehicle class.
DE 4427392 A1 describes a toll device that is installed in a vehicle and includes a removable read/write unit for smart cards. However, it does not refer to reciprocal authentication between the removable device unit and the device component that is fixed within the vehicle, based on a vehicle-specific certificate and a certificate for the mobile unit, nor is such authentication proposed as beneficial. With regard to detection of unauthorized use, it only refers to the utilization of certain road sections without sufficient credits to pay the toll, but not to the unauthorized use of the toll device itself. PIN input is only mentioned in the context of loading the credit card via radio link.
CH 687 352 A5 describes a toll device with GPS functionality, in which a device unit referred to as a data switch unit is designed as a mobile unit, and can therefore be removed from the vehicle. In one implementation of this toll device, it is proposed that an identification code of the data switch unit be compared to the vehicle identification, so that the assignment of the data switch unit to one or more vehicles can be electronically monitored, which is particularly important in determining that the data capture device is always used in the correct type of vehicle. This document does not make any reference to the use of a memory that can be externally loaded with credits and used to deduct tolls.
U.S. Pat. No. 5,465,207 describes a vehicle data system, which includes a device for capturing data in the context of utilization and operation of transport vehicles, where these vehicles are fitted with all manner of devices for the purpose of electronic data transfer. There are no references to the calculation of charges for the use of road sections in a chargeable road network.
The objective of the present invention is to provide a debiting device that guarantees maximum protection against misuse for both the operator and users of the toll charging system. In comparison with the potential for unauthorized use of a telephone card, this is of far greater significance since the value of credits purchased by the user will generally be far greater than those on a telephone card.
An important principle of the present invention is that a large part of the debiting device exists as a separate module in a mobile electronic toll device, which must be linked to modules that are permanently installed in the vehicle in order to obtain the full device functionality. These modules comprise a vehicle box, an external communications module, and a holding module to accommodate the mobile toll device. At the same time, both the vehicle box and the mobile toll device should have their own device certificate, and authenticate each other reciprocally. This prevents the use of e.g. a stolen mobile toll device in any other vehicle with a (non-compatible) vehicle box, in order to illegitimately use the remaining credits in the credit memory of the mobile toll device. Furthermore, the external communication facilities allow the credit memory to be loaded without the need to remove the memory itself from the device. Instead, the complete mobile unit of the toll device can be instructed to exchange data with a suitable automatic machine in order to load credits. In this case, the mobile toll device is simply placed in the vicinity of the automatic machine, for example, and the required data transfer can be performed using DSRC (dedicated short-range communication), for example. The memory holding the credits can therefore be an integral part of the mobile toll device, and could not be used by an unauthorized user without the valid vehicle box for the toll device, since it could not be authenticated.
Reciprocal authentication between the mobile toll device and the vehicle box, without which the debiting device cannot function, is a particular and significant characteristic of the present invention, since it ensures almost total protection against misuse. The level of protection offered is considerably better than can be achieved with simple identification of device modules. Simple identification only provides partial protection, since one device module only compares the device identification code received from the other device module (the one to be checked) with an individual device identification code or a list of authorized device identification codes. In other words, it only refers to specific memory information stored in the device module in each case. In principle, however, such information is susceptible to tampering.
By comparison, reciprocal authentication by device modules, each of which has its own device certificate, is considerably more secure. This is because the check performed in each case is designed to establish whether the other device module is in possession of a secret. The actual contents of the secret are not transmitted during data transfer between the device modules, nor are they stored within the checking device module. Consequently this secret, which is generated by an authority that cannot be influenced by the device user (e.g. a trust center), cannot be reconstructed by an unauthorized user or therefore tampered with.